KnowBe4 Security Awareness Training Blog

Disgusting Fake Employment Site Targets Veterans And Installs Remote Access Trojan

Written by Stu Sjouwerman | Sep 24, 2019 8:59:04 PM

Just when you think they could not sink any lower, you see something like this. A fake website pretending to be an organization that offers job opportunities for U.S. veterans is distributing malware that lets the attackers gain full control over a victim's computer. These lowlifes use social engineering to trick vets to visit the site.

Researchers from ESET have a found a website that pretends to be the organization called HMH, or Hire Military Heroes, that offers a desktop application that veterans can use for job opportunities.

ESET states that the attackers behind this web site are a threat actor group named Tortoiseshell, who Symantec recently identified as an attacker who targeted IT companies in order to gain access to their customers.

If the program is launched, a small loading screen will appear that states "Hire Military Heroes is a new resource for hiring armed forces." and that it is trying to connect to the database.

While this screen is being displayed, the malware is actually downloading two other malware files and saving them to the computer.

It will then show an alert that states "Sorry. Your security solution is terminating connections to our servers.". This fake error is being displayed to make it appear that it is a legitimate program that did not work on the computer.

In addition to the information gathering malware, a remote access Trojan will also be installed on the computer. This Trojan will be installed as a Windows service with a service name of "dllhost" and a display name of "Dll host".

This service will be configured to start automatically so that the infection starts every time Windows starts. Technical details, links and screenshots at Bleepingcomputer.

https://www.bleepingcomputer.com/news/security/fake-employment-site-created-to-target-veterans-with-malware/